github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-02 09:47:06 +00:00
Code Issues Projects Releases Wiki Activity

check block owner ref on finalizers subresource

Browse Source
This commit is contained in:
David Eads
2017-09-05 11:08:53 -04:00
parent 6003f87b78
commit 6d040812f0
2 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
plugin/pkg/admission/gc/gc_admission.go
View File

@@ -122,7 +122,7 @@ func (a *gcPermissionsEnforcement) Admit(attributes admission.Attributes) (err e
for _, record := range records { for _, record := range records {
allowed, reason, err := a.authorizer.Authorize(record) allowed, reason, err := a.authorizer.Authorize(record)
if !allowed { if !allowed {
return admission.NewForbidden(attributes, fmt.Errorf("cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't delete: %v, %v", reason, err)) return admission.NewForbidden(attributes, fmt.Errorf("cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: %v, %v", reason, err))
} }
} }
} }
@@ -178,12 +178,13 @@ func (a *gcPermissionsEnforcement) ownerRefToDeleteAttributeRecords(ref metav1.O
for _, mapping := range mappings { for _, mapping := range mappings {
ret = append(ret, authorizer.AttributesRecord{ ret = append(ret, authorizer.AttributesRecord{
User: attributes.GetUserInfo(), User: attributes.GetUserInfo(),
Verb: "delete", Verb: "update",
// ownerReference can only refer to an object in the same namespace, so attributes.GetNamespace() equals to the owner's namespace // ownerReference can only refer to an object in the same namespace, so attributes.GetNamespace() equals to the owner's namespace
Namespace: attributes.GetNamespace(), Namespace: attributes.GetNamespace(),
APIGroup: groupVersion.Group, APIGroup: groupVersion.Group,
APIVersion: groupVersion.Version, APIVersion: groupVersion.Version,
Resource: mapping.Resource, Resource: mapping.Resource,
Subresource: "finalizers",
Name: ref.Name, Name: ref.Name,
ResourceRequest: true, ResourceRequest: true,
Path: "", Path: "",

14
plugin/pkg/admission/gc/gc_admission_test.go
View File

@@ -39,6 +39,9 @@ func (fakeAuthorizer) Authorize(a authorizer.Attributes) (bool, string, error) {
if a.GetVerb() == "delete" { if a.GetVerb() == "delete" {
return false, "", nil return false, "", nil
} }
if a.GetVerb() == "update" && a.GetSubresource() == "/finalizers" {
return false, "", nil
}
return true, "", nil return true, "", nil
} }
@@ -46,6 +49,9 @@ func (fakeAuthorizer) Authorize(a authorizer.Attributes) (bool, string, error) {
if a.GetVerb() == "delete" && a.GetResource() == "pods" { if a.GetVerb() == "delete" && a.GetResource() == "pods" {
return false, "", nil return false, "", nil
} }
if a.GetVerb() == "update" && a.GetResource() == "pods" && a.GetSubresource() == "finalizers" {
return false, "", nil
}
return true, "", nil return true, "", nil
} }
@@ -53,6 +59,9 @@ func (fakeAuthorizer) Authorize(a authorizer.Attributes) (bool, string, error) {
if a.GetVerb() == "delete" && a.GetResource() == "replicationcontrollers" { if a.GetVerb() == "delete" && a.GetResource() == "replicationcontrollers" {
return false, "", nil return false, "", nil
} }
if a.GetVerb() == "update" && a.GetResource() == "replicationcontrollers" && a.GetSubresource() == "finalizers" {
return false, "", nil
}
return true, "", nil return true, "", nil
} }
@@ -326,7 +335,10 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
return err == nil return err == nil
} }
expectCantSetBlockOwnerDeletionError := func(err error) bool { expectCantSetBlockOwnerDeletionError := func(err error) bool {
return strings.Contains(err.Error(), "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't delete") if err == nil {
return false
}
return strings.Contains(err.Error(), "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on")
} }
tests := []struct { tests := []struct {
name string name string